Previously, a session could be created when anonymously accessing the
django.contrib.auth.views.logout() view (provided it wasn’t decorated
with login_required() as done in the
admin). This could allow an attacker to easily create many new session records
by sending repeated requests, potentially filling up the session store or
causing other users’ session records to be evicted.